DEP Setup configuration command

I am trying to get SetupConfiguration command to work on OSX. I send the admin name and password to the device. The device recognizes the account and asks for the password, however for some reason it is not accepting the password that we enter. I am using the same password that was used in creation of the passwordHash key, sent in the SetupConfiguration command.

I think there is something I am missing while creating the passwordHash and would like to know if somebody had successfully tried this and could post an example of the SetupConfiguration command containing the passwordHash along with the password used to create the hash.

Here's what I have in my plist:


<key>passwordHash</key>

<dict>

<key>SALTED-SHA512-PBKDF2</key>

<dict>

<key>entropy</key>

<string>[PBKDF2 key derivation of a supplied password]</string>

<key>salt</key>

<string>[32 byte randomized salt]</integer>

<key>iterations</key>

<integer>20000</integer>

</dict>

</dict>

  • Hi I'm facing this Exact issue when I try implementing AccountConfiguration command for macOS may I know could you able to implement this and what have u done FYI: I'm using C# .NET

Add a Comment

Replies

I've used the following Python code to successfully create a plist to add an (admin) user with the correct PBKDF2 hash:


from passlib.hash import pbkdf2_sha512
from passlib.util import ab64_decode
from biplist import *
# Checksum size must be 128 bytes for use as OS X password hash!
pbkdf2_sha512.checksum_size = 128
hash = pbkdf2_sha512.encrypt("password", rounds=38000, salt_size=32)
# Decode the "special" base64 encoding passlib applies and use inside the data key binary instead
outerdict = {'SALTED-SHA512-PBKDF2': {'entropy': Data(ab64_decode(hash.split('$')[4])), 'salt': Data(ab64_decode(hash.split('$')[3])), 'iterations': int(hash.split('$')[2])}}
biplist.writePlist(outerdict,'admin.plist')


The only requirements are passlib and biplist:

pip install biplist passlib


The output is a valid binary plist containing the password hash inside a data key.

Hi,


As per the Apple documentation,

The

passwordHash
data objects should be created on the server using the CommonCrypto libraries or equivalent as a salted SHA512 PBKDF2 dictionary containing three items:
entropy
is the derived key from the password hash (an example is from
CCKeyDerivationPBKDF()
),
salt
is the 32 byte randomized salt (from
CCRandomCopyBytes()
), and
iterations
contains the number of iterations (from
CCCalibratePBKDF()
) using a minimum hash time of 100 milliseconds (or if not known, a number in the range 20,000 to 40,000 iterations). This dictionary of the three keys should be placed into an outer dictionary under the key
SALTED-SHA512-PBKDF2
and converted to binary data before being set into the configuration dictionary
passwordHash
key value.



Do we need to convert the SALTED-SHA512-PBKDF2 dictionary as created above into binary format or we need to pass the dict directly?

<key>passwordHash</key>

<dict>

<key>SALTED-SHA512-PBKDF2</key>

<dict>

<key>entropy</key>

<string>[PBKDF2 key derivation of a supplied password]</string>

<key>salt</key>

<string>[32 byte randomized salt]</integer>

<key>iterations</key>

<integer>20000</integer>

</dict>

</dict>


OR


<key>passwordHash</key>

<data>[SALTED-SHA512-PBKDF2 dict in binary format]<data>